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INFORMATION SYSTEMS AUDITS 


Information Systems (IS) audits conducted by the Legislative Audit 
Division are designed to assess controls in an IS environment. IS 
controls provide assurance over the accuracy, reliability, and integrity 
of the information processed. From the audit work, a determination 
is made as to whether controls exist and are operating as designed. 
We conducted this IS audit in accordance with generally accepted 
government auditing standards. Those standards require that we 
plan and perform the audit to obtain sufficient, appropriate evidence 
to provide a reasonable basis for our findings and conclusions based 
on our audit objectives. We believe that the evidence obtained 
provides a reasonable basis for our finding and conclusions based on 
our audit objectives. 


Members of the IS audit staff hold degrees in disciplines appropriate 
to the audit process. Areas of expertise include business, accounting, 
education, computer science, mathematics, political science, and 
public administration. 


IS audits are performed as stand-alone audits of IS controls or in 
conjunction with financial-compliance and/or performance audits 
conducted by the office. These audits are done under the oversight of 
the Legislative Audit Committee which is a bicameral and bipartisan 
standing committee of the Montana Legislature. The committee 
consists of six members of the Senate and six members of the House 
of Representatives. 
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Http://leg.mt.gov/audit 
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‘The Legislative Audit Committee 
of the Montana State Legislature: 


We conducted an Information Systems audit of the Statewide Accounting, Budgeting, 
and Human Resources System (SABHRS) maintained and operated by the Department 
of Administration to assist in the administration of financial and human resource records 
within state government. The focus of the audit was to provide assurances over SABHRS 
processes and ensure controls are in place to keep processes working as intended. We also 
reviewed some data elements in SABHRS and the recent reorganization of SABHRS 
support services. 


This report contains a recommendation for addressing duplicate payments and another 


pertaining to formalizing the communication and decision-making process as it pertains 


to SABHRS. 


We wish to express our appreciation to the Director and department staff for their 
cooperation and assistance. 


Respectfully submitted, 
// Tori Hunthausen 


Tori Hunthausen, CPA 
Legislative Auditor 


Room 160 ® State Capitol Building * PO Box 201705 * Helena, MT * 59620-1705 
Phone (406) 444-3122 ¢ FAX (406) 444-9784 ¢ E-Mail lad@mt.gov 


TABLE OF CONTENTS 


|Syreg bun cre 01) il 1c) cl re ee pres net eerie ment epee sr me err errr tote res ererrer nner terrae errr mre terre Tomer ii 

Appoitited atta Mac minatetr ative CRM tee yu icccextsatceci seta Nedacnacedenvadeincenceueaeibbactudonisbibbakbines iii 

REPOLE SUMIONALY. sucesssesies sisgcesechsevesSuosteriescteestoxtav ote cavestedsues lussusks sexteussuvetusstesavsstescetetseceset sd S-1 

CHAPTER I - INTRODUCTION AND BACKGROUND ..........scscssscsssssccsccscscsccsccsecssscsessecsscsscesecsenses 1 
Tipton). sassosnccavbinacessoucdncsneaceannssecensvnocstosnaseeays ta ceptngnedavernarenrenstasinnreamnansaueynentaneaieanemne 1 

De RUB ae spate cusnetn cacao cesivevces braves den bet nde Roaphetvebe in taba ta einin an wean enone emma 1 

Aidit ODSGHVES cicsssncareswasicsenvaniesaabantspnesicaligynbeabesibnicetnrmaisntanaeitspoacisel iuslinabiesihatedevenioseumoeisboennss 2 

Ai Scone aiid: WSO OAC Y prs2edhcsyats cueomendroonsuaysaspercdesnednersnestionespayanennnnetsheubeseneeahgennednovcnns 2 

Pitot Audie eco mngen da G8 tsmaande nn secctusanestineaitonteesisatenavetionsetsciauiatnmbaodsnleaaiest o 

WMieiieaeetrnetit Vie erat CON sata Goalies buss snestndycacss mctanubse ns wbarnsalticeaninaaienamnucsreneoubeabauetuanns 3 

CHAP TER T= SYS TEM CHANGES cisctccstecsatacuiecesataciveAiecesiedasssssascavetetnacisaalei mein arneiiiieaaecn 5 
|Balo ere ih (old er: Wey peennerry ter nereemr ret renter eee te ter tors re nner crore siren rertyernter tartare: ae rmeremerer emir r ev rrert wer 5 

SiS BUG ih GOS incon sickStey ed nema on ctwooli ened ae acens eenueealeansied arnt eanint 5 

SV SEC AACCOSS yas ecsconstescast voce: tadeta sts casetace tual snccuestasnccisapecseveestd Gooeeauens sateesecemstessetenstieden es ess 5 

AR Customer ACcOUnits 5. sacscrsoveesvsrsacarsnncsanss vocapesnecenemanenanastesmnastuanvnetenipattanuncceameness 6 

PRONG, NMEA IIS ood eins eleceater eee tinsesn von ee ec oan costo pstoeaaerinniaeentn ener een 7 

SUM aL Ys 2c ceseesscedenys secuserscdtuatbctensis cauenscedssevvacctusesneeshesccdiens ceetursesteeisautedsbecieuasaeddheeteee 7 

CHAPTER Ill = DATA REVIEW Swesssissessssseesssceanssarcsecssnsseesscissssscdevoresssotennssaesbctcessesssssatensseusseieedosasessss 9 
DiRERAUI AOI ses aceusneeacpnexionsesnestwonttagverutasecnnarancnrnecedcumeaesaniiescentaaseeunneseapinieatenteaesmnigabcangaiecins 9 

Dniphicatte: Pay eins yscisstaisctecssnctnsnsonevanericeeiabnesiinionetinesisthansonedinsnacchasnnnctagbabestnbunceeansseanansouces ) 

CHAPTER IV —- SABHRS SUPPORT SERVICES REORGANIZATION ...........ccsssssssssecssseeesssseeees 13 
PiSU EI oti osiestetecexnvstecensbeteasesabbuentabuanntie seed oncectudnsaannpobnntababmpanticesiesarxedheetsscbabaabiabnuas 13 

Commun Cations excess cacesseteecanstsctitades deat cdeastendeectets adessadabsieaietitand atin acter en oetee eta eaions 13 

IDE PAR PME NT RESPONSE cctissetsecsavsiiseavunssanavanenadaacecsaactacanccusssasasesstuuuimublessabssebanseuceesiecsacdonendaensies A-1 
Bree wanes cine elaectaberit1 Cia ela c11 meee ee metre ane morte mente oT enone vnt Rn ee re ewe mnt nme A-3 


yO DP-03 | 


ii 


FIGURES AND TABLES 
Figures 
Figure 1 Potential Duplicates vs Protection Level 


APPOINTED AND ADMINISTRATIVE OFFICIALS 


Department of Janet R. Kelly, Director 

Administration 
Sheryl Olson, Deputy Director 
Paul Christofferson, Administrator, State Accounting Division 
Nyla Johnson, Chief, SABHRS Finance and Budget Bureau 


Paula Stoll, Administrator, State Human Resources Division 


Randy Morris, Special Projects Manager, Human Resources Information 
Services Bureau 


Dennis Dickenson, Acting IT Manager, Director’s Office 


Dominick Speranza, Database Administrator Manager, 
IT Services Division 


yO DP-03 | 


iii 


REPORT SUMMARY 


Statewide Accounting, Budgeting, and 
Human Resources System (SABHRS) 


The Statewide Accounting, Budgeting, and Human Resources System (SABHRS) is 
an enterprise computer application implemented by the State of Montana to assist 
state agencies and the Montana University System to record the disposition, use, and 
receipt of public money and property in accordance with state law. SABHRS also 
assists in the administration of human resource information, including the generation 
of a bi-weekly payroll. The responsibilities for all SABHRS maintenance and support 
are divided among three Department of Administration (DOA) entities: 


¢ SABHRS Finance and Budget Bureau, responsible for managing the financial 
system, 


¢ Human Resources Information Services Bureau, responsible for the human 
resources system, and 


¢ Information Technology Services Division, responsible for providing 
technical support. 


On an annual basis an Information Systems (IS) audit is conducted to identify and 
test key controls over the application to ensure the system is operating as intended to 
maintain the integrity of business processes. IS auditors focused on modifications to 
SABHRS, system access, and data reviews. 


This report includes recommendations for identifying duplicate payments, and imple- 
menting a formal mechanism for decision-making. The recommendation related to 
duplicate payments includes implementing a minimum level of protection against 
potential duplicate payments, as well as reconciling the potential duplicates identified 
during the audit. A recent reorganization split responsibility for maintaining SABHRS 
among the three entities noted above. This change led to a recommendation to develop 
a formal mechanism for decision-making and dispute resolution regarding SABHRS. 
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Chapter | — Introduction and Background 


Introduction 


On an annual basis, an Information Systems audit is conducted over controls 
residing within the Statewide Accounting, Budgeting, and Human Resources System 
(SABHRS). Included in this annual audit is a review of any modifications made to 
SABHRS to determine affects on functionality. The intent of the SABHRS audit is to 
identify and test key controls over the application to ensure the system is operating as 
intended. In addition to this report, we provided a limited distribution memorandum 
to Legislative Audit Division staff providing detailed information, controls testing and 
process descriptions to consider during their work. This report includes recommenda- 
tions for strengthening controls and clarifying responsibilities. 


Background 


SABHRS is an enterprise computer application implemented by the State of Montana 
to assist state agencies and the Montana University System to record the disposition, 
use, and receipt of public resources in accordance with state law (section 17-1-102, 
MCA). SABHRS also assists in the administration of human resource information, 
including the generation of a bi-weekly payroll. The responsibilities for all SABHRS 
maintenance and support are divided among three Department of Administration 
(DOA) entities: SABHRS Finance and Budget Bureau (SFABB), Human Resources 
Information Services Bureau (HRIS), and Information Technology Services Division 
(ITSD). SFABB is responsible for managing the financial system, HRIS is respon- 
sible for the human resources system, and ITSD is responsible for providing technical 
support. 


SABHRS includes two subsystems: Financial and Human Resources Management. 
Within each of these subsystems are modules providing different functionality to 
SABHRS users. The Financial subsystem includes: 


¢ General Ledger (GL) - Acts as a single repository of all financial transaction 
records entered into SABHRS, including payables and receivables. When 
a transaction is entered, a journal line is generated. The journal line is then 
posted to the GL, where it can be used in a number of accounting functions 
including reconciliations and maintenance. 


¢ Accounts Payable (AP) - Responsible for the processing of vouchers and 
payment to state vendors. The AP also transmits voucher data through inter- 
faces with the GL and Warrant Writer. 


¢ Accounts Receivable (AR) - Processes incoming payments and bills customers. 
AR data is transferred and posted to the GL. 
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¢ Purchasing - Stores vendor information, purchase orders, recurring contracts, 
and procurement card information for all state agencies. Purchasing 
functionality included processing purchase order information into the AP 
module. Purchasing transaction data is posted to the GL in the form of 
journals. 


¢ Asset Management (AM) - Stores assets and calculates depreciation, gains, 
losses, and trade-in values. 


The Human Resources Management (HRM) subsystem includes four modules: 


¢ Human Resources (HR) - The HR module is where all personnel, job 
position, and employment records are entered and maintained. 


¢ Time and Labor (TL) - Employee's time is entered, validated, and approved 
within this module, resulting in actual compensation for employees. 


¢ Benefits Administration - Responsible for defining what benefits (medical, 
retirement, leave, etc.) an employee is eligible for. 


¢ Payroll - Responsible for calculating earnings, deductions, and net pay based 
on information entered within the other three HRM modules. 


All of these modules include functionality relied on by agency finance and HR users in 
the management of financial and human resources. 


Audit Objectives 
This information systems audit addressed the following objectives: 


1. Verify the implementation status of previous audit recommendations. 


2. Confirm modifications to SABHRS have not negatively affected baseline processes 
and the department has developed and implemented change management 
controls. 


3. Verify access to the system is controlled and limited to those with a valid business 
requirement. 
Review select data elements as identified through audit work. 


5. Determine if reorganization has had any negative impact on SABHRS 
operations. 


Audit Scope and Methodology 


This audit focused on modifications made to SABHRS functionality since our last 
audit. We also reviewed user access, which is ever-changing and presented an increased 
risk with the recent reorganization. Finally, we performed data analysis to identify 
potential data integrity issues regarding SABHRS data and rates. When our data 
analysis results in questions requiring review at the agency level, we provide the results 
to Legislative Audit staff for their review during agency audits. Such was the case when 
our audit work identified records with negative depreciation, and account balances 


that differed from state policy. These have been provided to audit staff for consider- 
ation during agency audits. 


Methodology included interviewing staff, query and analysis of SABHRS data, and 
observation of SABHRS operations. We evaluated the control environment using state 
policies and criteria established in the IT Governance Institute's Control Objectives 
for Information and Related Technology (COBIT). The audit was conducted in 
accordance with Government Auditing Standards published by the United States 
Government Accountability Office (GAO). 


Prior Audit Recommendations 


In the previous SABHRS audit report (08DP-03), we made two recommendations 
to DOA. Both recommendations addressed SABHRS incompatible access privileges. 
One of the objectives of this year’s audit was to verify the implementation status of 


these two prior audit recommendations. 


We recommended the department develop and implement procedures and controls 
to address conflicting access roles in SABHRS. The department has developed and 
implemented procedures for identifying and removing conflicting access roles, as 
well as controls to ensure agency users cannot be assigned conflicting access roles. 
The procedures for granting access to the HR module now requires a comparison of 
what the user currently has and what access is being requested to ensure users are not 
assigned conflicting access roles. 


We also recommended the department remove programmer access allowing modifi- 
cation to programming code and database tables in the production environment and 
instead develop and implement procedures to provide temporary programmer access 
in emergency situations. The department has implemented this recommendation. 


Management Memorandum 


During the course of our audit, we made an observation regarding measuring the success 
of the reorganization of SABHRS services, which we believe warrants management 
attention. This observation is not included as a recommendation in this report, but was 
presented to the Department of Administration for its consideration. 
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Chapter II - System Changes 


Introduction 


Each year we review modifications to the Statewide Accounting, Budgeting, and 
Human Resources System (SABHRS) that have occurred since the last audit. Based 
on this year’s review of system modifications, we determined that SABHRS has not 
been updated to a different version and many of the core processes remain unchanged. 
Our audit work then focused on functionality affected by minor system modifications 
made since the last audit, as well as areas requiring continual review such as system 


access. 


System Changes 


System changes include changes from vendor provided updates, user requested 
changes, and implementation of new system functionality. We reviewed all system 
changes that were implemented since our previous audit. We identified 11 changes 
in the Financial subsystem and 16 changes in the Human Resources Management 
subsystem (HRM). 


We also reviewed department change management procedures to ensure controls are 
in place. Department procedures require a formal request for change, documentation 
of changes to be completed, testing of all changes in a test environment that matches 
the production database, approval of all changes, and subsequent migration into the 
production database. We reviewed documentation for five system changes to ensure 
change management procedures were followed. Our sample included changes from all 
three Financial modules modified this year (General Ledger (GL), Accounts Payable 
(AP), and Accounts Receivable (AR)), as well as a user requested change and a vendor 
provided update to the HRM subsystem. We noted all necessary documentation 
indicating change management procedures were followed. 


a 
CoNcLUSION 


Based on our review of system changes in SABHRS, modifications have not 
negatively affected baseline processes, and the Department of Administration 
has developed and implemented change management controls. 


System Access 


While a system change might be reviewed only once to ensure it is working, other 
changes (like system access) require ongoing review to provide continued assurance. 
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According to industry reports, one of the greatest threats to information security is 
employees. Employees typically have access to a company’s personal computers and 
computer networks, and they often know precisely what information is valuable and 
where to find it. Managing system access is the first line of defense against the misuse 
of information. Managing system access includes identifying access needs and capabil- 
ities, granting access to the system, monitoring access, and reviewing and adjusting 
access as needed. Montana Operations Manual (MOM 2-9900) guidance suggests 
management ensure adequate separation of responsibilities, and IT Governance 
Institute’s Control Objectives for Information and Related Technology (COBIT) 
suggests a division of roles and responsibilities in areas of risk to ensure no single user 
has access to compromise the system and users are limited to access relevant to their 
specific job duties. 


We reviewed the following to ensure SABHRS access is controlled and appropriate: 
* access to modify the state’s vendor table 


* access to create and approve new/changed AR customer accounts is 
segregated 


* access to modify a GL journal 
¢ — access to initiate and approve an inter-unit journal is segregated 


* access to initiate on-cycle and off-cycle payroll processing has an identified 
need 


¢* — only authorized employees can update and modify HR rates 
¢ — write access to the four voucher tables and the payment table is limited 


* activity of users with access to change/re-issue warrants is logged and 
reviewed 


¢ access to the staging tables is limited 


Ee cc 
CONCLUSION 


Based on our review, access to the system is controlled and is limited to those 
with a valid business requirement. However, our review of these controls 
identified two areas where further audit work was necessary. 


AR Customer Accounts 


In addition to MOM policy and COBIT suggestions to create a separation 
of responsibilities, the Department of Administration’s Financial Roles and 
Responsibilities policy specifies that no user with access to create an AR customer 
account will have access to approve an AR customer account. We identified one user 


with access to create/change and approve AR customer accounts. For business reasons, 
State Accounting Division (SAD) management decided access for the individual is 
required and therefore knowingly allow and accept the risk involved with the access. 
To compensate for this incompatible access, SAD personnel developed queries to view 
names of individuals who have created/changed and approved AR customer accounts. 
The queries are run manually from the SABHRS application at the discretion of SAD 


management. 


Reissued Warrants 


The second area where further audit work was conducted related to department 
monitoring of activities of users with access to change and reissue warrants. ‘The 
department's control is a query identifying warrants that have been created or changed 
by SAD staff, and then comparing the addresses on the warrants with the addresses 
of SAD staff to ensure there are no matches. The queries are run manually from the 
SABHRS application at the discretion of management. 


Summary 


State policy (MOM 2-9900) guides managers to develop methods to minimize 
identified risks. In both cases noted previously, department management identified 
risks and established compensating controls through the use of queries for monitoring 
activity of users. While there is no department policy or procedure for documenting 
use of the queries and review of monitoring results, the department has taken steps to 
minimize identified risks. While we did not identify any problems with the queries, 
there was no way for auditors to verify use of the queries and review of results due to 
the lack of documentation. Therefore, we cannot conclude on the effectiveness of these 
controls as a method of minimizing identified risks. 


a 
CoNcLUSION 


We conclude, while further improvement could be achieved by documenting 
control procedures and results of monitoring, the Department of 
Administration has implemented monitoring controls to mitigate risks 
presented by excessive access to the Accounts Receivable module and 
access to change or reissue warrants. 


yO DP-03 | 


Chapter III - Data Reviews 


Introduction 


We identified several data elements that initially presented potential areas of risk 
including: 
¢ duplicate payments to vendors 
payment amounts over invoice amounts 
changes to reissued warrants 
matching addresses between users and vendors 
unique employee ID numbers 
assets with a negative depreciation 


¢- ¢ © © 6 Oh 


account balance outside of normal policy ranges 


This chapter discusses a potential issue with duplicate payments. 


Duplicate Payments 


The Statewide Accounting, Budgeting, and Human Resources System (SABHRS) is 
used by every agency and university to pay vendor submitted invoices. Overpayment 
to a vendor can occur when duplicate payments are issued based on a single invoice, 
either through error or intentionally. To determine if duplicate payments have been 
made, we performed data analysis on SABHRS invoice and voucher data fiscal year 
2006 and newer, which included over seven million records, to identify duplicate 
payments. We imported the records into a computer assisted audit tool and filtered out 
all invoices that were not approved or were closed prior to posting to ensure only actual 
payments were included in our review. We used the audit tool to filter out voucher 
records sharing the same invoice number, vendor, payment amount, and invoice date. 
This resulted in 103 records with 48 total invoices having potential duplicate payments 


totaling $51,306.90. 


SABHRS includes functionality to identify duplicate payments. Agencies can choose 
to configure SABHRS to identify duplicate payments based on any combination of 
the following criteria: 


Vendor Number 
Invoice Date 

Invoice Gross Amount 
Invoice Number 


¢- ¢ © © 6O 


Business Unit 


Agencies determine the course of action SABHRS will take when payments are 
identified as possible duplicates, based on the agency’s choice of the criteria above. 
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SABHRS includes one of three options on how to deal with duplicate payments: 


¢ — Reject — will not allow duplicate to save or post to the system. 


¢ Recycle — will allow duplicate to be saved but will not post as a valid 
payment. 


¢ Warning — duplicate payment will post, and agency will receive a warning. 


The intent of this functionality is to notify agencies when a duplicate invoice is 
detected in the system. However, agencies are not required to use this functionality. 
‘The criterion for this process is set per business unit. A business unit is an identifier 
in SABHRS used by agencies to record financial activities. In order to facilitate more 
efficient accounting practices, some agencies create multiple business units. Currently, 
there are 108 business units identified in SABHRS. Of the 108 business units in the 
system, 16 are set to reject, 75 are set to recycle, and 17 are set to warning. Of the 108 
business units, 40 have not chosen any criteria to check against or are set to give only a 
warning. Of the 48 possible duplicates we identified, 29 have no duplicate protection 
(no criteria chosen), 15 have warning set, 4 are recycle, and 0 are reject. 


The chart below shows the relationship between the levels of protection chosen by 
agencies and the potential duplicates identified during our analysis. As the level of 
protection increases, the number of potential duplicates drops. At the highest level of 
protection (reject), no potential duplicates were identified. 


Figure 1 
Potential Duplicates vs Protection Level 
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Source: Compiled by the Legislative Audit Division. 


State policy (MOM 2-0250.00) requires agencies to take steps to ensure a payment 
was not previously issued. Policy further states if a fraudulent or duplicate payment 
is identified, every effort should be made to recover the funds, and the breakdown in 
controls that allowed the improper payment should be identified and eliminated. 


Although the SABHRS Finance and Budget Bureau is responsible for maintenance and 
upkeep of SABHRS, their philosophy is that the agencies are responsible for their own 
accounting and vendor payments. SABHRS provided functionality that will identify 
and stop payment of potential duplicates until management review and approval. 
However, this functionality is optional. As noted above, the majority of the possible 
duplicates were from agencies that had not implemented the SABHRS controls; 
agencies using the highest protection available (reject) had no identified duplicates 
in the system. However, according to department personnel, using reject can cause 
problems with system processing, thus limiting the reject option as a viable choice 
for every agency. The potential duplicates identified during our audit were provided 
to State Accounting Division personnel who are working with agencies to review and 
resolve the payments accordingly. 


RECOMMENDATION #1 


We recommend the Department of Administration: 


A. Establish a statewide minimum level of protection in the system 
regarding identification of duplicate payments. 


B. Reconcile the potential duplicate payments identified during our audit. 
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Chapter IV -SABHRS Support 
Services Reorganization 


Introduction 


Since our last audit, the Department of Administration (DOA) reorganized Statewide 
Accounting, Budgeting, and Human Resources System (SABHRS) Support Services 
Bureau into three separate entities: 


¢ the SABHRS Finance and Budget Bureau (SFABB) responsible for the 


Financial subsystem 


¢ the Human Resources Information Services (HRIS) Bureau responsible for 
the Human Resources Management subsystem 


¢ the Information Technology Services Division (ITSD) responsible for 
providing technical support 


One of our audit objectives was to determine what affects this change in structure has 


had, if any, on SABHRS. 


A reorganization causes change which increases risks in certain areas such as access and 
change control procedures. We focused on user access and communication between 
SFABB, HRIS, and ITSD. Based on our audit work, we determined SFABB and HRIS 
reviewed user access to the system, after the reorganization, to ensure only appropriate 
user access existed. We identified an issue related to communication between the three 
entities which is discussed in the next section. 


Communication 


Prior to the reorganization, communication regarding SABHRS was internal to a 
single entity: the SABHRS Support Services Bureau. The reorganization resulted in 
a division of SABHRS responsibilities, which increased the need for discussion and 
documentation of a method of communication and decision-making between the 
three new entities. However, during our audit, we did not identify any formal method 
of communication. The lack of a formal method for communication impacted the 
SABHRS decision-making process. 


An example of an impact was a communication breakdown during the creation of 
a Service Level Agreement (SLA). Typically, an SLA would be in place as soon as 
possible to identify provision of services and costs, among other things. However, after 
nearly a year since the reorganization, an SLA for SABHRS had not been finalized and 
formally signed. While department personnel indicated development of the SLA was 
complex, our observations indicated managers within the three entities could not agree 
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on SLA language that would ensure provision of adequate support for SABHRS. 

The lack of a finalized SLA has not negatively impacted SABHRS, although without a 
formal understanding of which group is responsible for maintaining different aspects of 
SABHRS, there could be system availability issues. More concerning is the issue with 
communication between the three. All three groups will need to be actively involved 
in any decisions regarding SABHRS. If agreements cannot be reached, it is possible 
that critical updates or new functionality will be impacted, which could include not 
being implemented. Future plans for a major upgrade of SABHRS increases the need 
for a clear process for communication and decision-making. 


‘The fact there are now three entities that have an active role in maintaining SABHRS 
increases the need for a more formal communication and decision-making process. 
However, following the reorganization, a formal methodology of communication and 
decision-making regarding SABHRS was not established. We noted one example of 
an impact to SABHRS in regard to finalizing the SLA where the three entities could 
not reach agreement, so the issue was finally taken to the Director for resolution. To 
avoid future delays and to ensure the best solution in terms of SABHRS, a formal 
communication and decision-making process should be defined. 


Me 


RECOMMENDATION #2 


We recommend the Department of Administration develop a formal 
mechanism for department personnel to make decisions and resolve disputes 
regarding the Statewide Accounting, Budgeting, and Human Resources 
System. 
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ECEIVED 
Ms. Tori Hunthausen REC 
Legislative Auditor JUN 08 2009 
PO Box 20 f 708 psi LEGISLATIVE AUDIT DIV. 


Helena, MT 59620-1705 


RE: Information Systems Audit #409DP-03: Statewide Accounting, Budgeting, 
and Human Resources System (SABHRS) 


Dear Ms. Hunthausen: 

The Department of Administration has reviewed the Information Systems Audit of 
the Statewide Accounting, Budgeting, and Human Resources System (SABHRS) 
and the recommendations contained therein. Our response to the 
recommendations appears below: 

Recommendation #1: 


We recommend the Department of Administration: 


A. Establish a statewide minimum level of protection in the system regarding 
identification of duplicate payments 


B. Reconcile the potential duplicate payments identified during our audit. 
Response: 

A. Concur. The State Accounting Division will implement a statewide policy, 
establishing the minimum duplicate payment options necessary to limit the 
State’s exposure to possible duplicate payments in the SABHRS system. 
This policy will be established by September 1, 2009. 

B. Concur. The State Accounting Division will continue to work with all 


agencies to reconcile the potential duplicate payments identified by the 
audit staff. 


"AN EQUAL OPPORTUNITY EMPLOYER" 


Recommendation #2: 


We recommend the Department of Administration develop a formal mechanism for 
department personnel to make decisions and resolve disputes regarding the 
Statewide Accounting, Budgeting, and Human Resources System. 


Response: 

Concur. The Information Technology Services Division (ITSD) and the two 
SABHRS entities signed Service Level Agreements that include a formal dispute 
resolution process. Additionally, the Department reestablished the Information 
Technology Manager position to provide the necessary oversight and coordination 
required to identify and resolve information technology issues. 

My staff and | appreciated the courtesy and professionalism of the legislative audit 
staff in conducting this audit. The Department always views the audit process as 
an opportunity for improvement and welcomes your input. 


The Department's Corrective Action Plan (CAP) is attached. 


et R. Kelly, Direct 


Attachment 
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